Description
Socket versions before 2.041 for Perl have an out-of-bounds heap read.

In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both addresses occupy a 4-byte field, so a valid multiaddr lets a source of any length pass the check, and the source is then copied into the 4-byte imr_sourceaddr field with a fixed-size copy. A source shorter than 4 bytes is not rejected, and the copy reads up to 3 bytes past the end of its buffer.

Calling pack_ip_mreq_source() with a source value shorter than 4 bytes copies adjacent heap memory into the returned packed structure.
Published: 2026-06-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the Socket module’s pack_ip_mreq_source function, which performs a length check based on the previous address parameter rather than the actual source argument. As a result, a source address shorter than four bytes passes validation, and the function copies up to three bytes beyond the end of its buffer into the fixed 4‑byte field, exposing adjacent heap memory.

Affected Systems

The vulnerability affects the Perl Socket module provided by PEVANS. Any installation of Socket versions earlier than 2.041 is susceptible, regardless of the Perl runtime version.

Risk and Exploitability

With a CVSS score of 9.1, this issue is considered high severity, yet the EPSS score of less than 1% indicates a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation campaigns. Attackers would need to invoke pack_ip_mreq_source with a source argument shorter than four bytes within a Perl application that imports the Socket module, potentially leaking arbitrary heap memory into the generated structure.

Generated by OpenCVE AI on June 17, 2026 at 21:53 UTC.

Remediation

Vendor Solution

Upgrade to version 2.041 or later.


OpenCVE Recommended Actions

  • Upgrade the PEVANS Socket Perl module to version 2.041 or later.
  • In application code, validate that any source address passed to pack_ip_mreq_source is at least four bytes long before the function is called.
  • Run Perl scripts that use the Socket module under the lowest privilege that the application requires to limit the impact of any memory disclosure.

Generated by OpenCVE AI on June 17, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Pevans
Pevans socket
Vendors & Products Pevans
Pevans socket

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}


Tue, 16 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Moderate


Tue, 16 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
References

Mon, 15 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both addresses occupy a 4-byte field, so a valid multiaddr lets a source of any length pass the check, and the source is then copied into the 4-byte imr_sourceaddr field with a fixed-size copy. A source shorter than 4 bytes is not rejected, and the copy reads up to 3 bytes past the end of its buffer. Calling pack_ip_mreq_source() with a source value shorter than 4 bytes copies adjacent heap memory into the returned packed structure.
Title Socket versions before 2.041 for Perl have an out-of-bounds heap read
Weaknesses CWE-125
CWE-805
References

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-16T15:59:27.883Z

Reserved: 2026-06-12T13:29:50.478Z

Link: CVE-2026-12087

cve-icon Vulnrichment

Updated: 2026-06-15T23:33:50.725Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T22:16:16.197

Modified: 2026-06-16T17:16:32.050

Link: CVE-2026-12087

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-15T21:11:09Z

Links: CVE-2026-12087 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:06:27Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-805

    Buffer Access with Incorrect Length Value